Data Lifecycle Risks Considerations and Controls

Data Lifecycle: Risk Considerations and Controls October, 2013

Data Lifecycle Risk Considerations and Controls

Carlos Chalico

CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador

Ouest Business Solutions Inc.

Director Eastern Region

2@CarlosChalicoT

#ISACA_DDay

What´s in this for you?

By the end of this session you will:

• Understand the concept of data and general considerations regarding its classification.

• Know some of the risks data faces in a data management lifecycle.

• Challenge the relationship between business activities and human behaviour when managing data.

3

First things first

4

Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil

http://www.google.com.mx/url?sa=i&source=images&cd=&cad=rja&docid=NAaWidJVDr5_ZM&tbnid=yu02uz8oBI7G8M:&ved=0CAgQjRwwAA&url=http%253A%252F%252Ffineartamerica.com%252Ffeatured%252Felephant-in-the-room-leah-saulnier-the-painting-maniac.html&ei=59MwUteeGofS2wWcmYH4DA&psig=AFQjCNE9fPozAhzq0kt8Ava5uG1ALf3CNQ&ust=1379018087593443

http://www.google.com.mx/url?sa=i&rct=j&q=canadian%2520flag&source=images&cd=&cad=rja&docid=UefJ6rjsNAkV6M&tbnid=WURaw2xqlXL7nM:&ved=0CAUQjRw&url=http%253A%252F%252Fwww.radiokerry.ie%252Fnews%252Fcanadian-police-stop-al-qaeda-linked-terror-attack%252Fattachment%252Fcanadian-flag%252F&ei=qtUwUuTVH-_22AW4moDoBQ&bvm=bv.52109249,d.b2I&psig=AFQjCNFWErlozkFu-pb-7tBAHt_UCtxRDw&ust=1379018524041220

http://www.google.com.mx/url?sa=i&rct=j&q=mEXICAN%2520FLAG&source=images&cd=&cad=rja&docid=UuXKH3JzwO8rZM&tbnid=-CWgYbvF1Js2GM:&ved=0CAUQjRw&url=http%253A%252F%252Fwww.mapsofworld.com%252Fflags%252Fmexico-flag.html&ei=zdUwUoG1KdOI2gXyjYCQBA&bvm=bv.52109249,d.b2I&psig=AFQjCNEdlUE3ovdgwzYE0jldnN7e7jZLdQ&ust=1379018571080394

So, what does this mean?

DATA5

@CarlosChalicoT #ISACA_DDay

Data (Wikipedia)Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.

6@CarlosChalicoT

#ISACA_DDay

Data (Wikipedia)

7

Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.


Data• Values of qualitative or quantitative variables.

• Represented in a structure:

- Tabular.

- Tree.

- Graph.

• Results.

• Lowest level of abstraction for information and knowledge.

• Numbers, words, images, accepted as they stand.8


Data

9

Data + Value = Information

KnowledgeDecision Making

Failure

SuccessResults


Classifying Data

DATA

10

Process Sensitivity

IT Infrastructure@CarlosChalicoT

#ISACA_DDay

Classifying Data: Process

11

Financial

Commercial

Strategic

Operational

Personal

Raw Unnecesary...

Combined@CarlosChalicoT

#ISACA_DDay

Classifying Data: Sensitivity

Top Secret Secret

Sensitive Confidential Proprietary

Public12


13

Top Secret Secret Sensitive Confidential Proprietary Public

Financial

Financial

Financial

Financial

Financial

Financial

Classifying Data

Personal

Personal

Commercial

Commercial

Commercial

Strategic

Strategic

Strategic

Strategic

Strategic

Operational

Operational

Operational

Operational

Operational

OperationalRaw

Raw

Combined

Combined

Combined


14

Classifying Data

15

Understanding Data Classification Based on Business and Security RequirementsISACA Journal, 2006, Volume 5; Rafael Etges, CISA, CISSP and Karen McNeil

Classifying Data


http://www.google.com.mx/url?sa=i&source=images&cd=&cad=rja&docid=vxu9la427hhDoM&tbnid=qVc0asuxjorZBM:&ved=0CAgQjRwwAA&url=http%253A%252F%252Fwww.isaca.org%252FJournal%252FPast-Issues%252F2006%252FVolume-5%252FPages%252FJOnline-Understanding-Data-Classification-Based-on-Business-and-Security-Requirements1.aspx&ei=HoQ3UpGmEeOd2QW37IGADw&psig=AFQjCNEA4sityYf74gVI41Byp9z7MrRjOA&ust=1379456414350867


Data - conceptData - classification

Data Lifecycle

17@CarlosChalicoT

#ISACA_DDay

Data Lifecycle Risks

Before

!

During

!

After

18

Confidentiality

!

Integrity

!

Availability


Countermeasures

• Information Security Programs - COBIT

- ISO27000

- ISO38500

- ITIL

• Specific Controls - Data Loss Prevention

- Awareness

- Incident Response Management

• Compliance19

Governance

Corporate

IT

Data@CarlosChalicoT

#ISACA_DDay

What about today?

20

New Trends

New Trends

21@CarlosChalicoT

#ISACA_DDay

New Trends

22@CarlosChalicoT

#ISACA_DDay

New Trends

23@CarlosChalicoT

#ISACA_DDay


Data LifecycleRisks in data lifecycleCountermeasuresRisks in new trends

New Trends

25@CarlosChalicoT

#ISACA_DDay

Where are we going?

• Real stories:

- The ones capable of identifying who is pregnant.

- The ones capable of knowing where you are without letting you notice it.

- The ones using your personal data for not intended purposes without your consent.

- The ones tweetting without taking care of its company reputation.

26@CarlosChalicoT

#ISACA_DDay

27

Where are we going?

Values

Behavioral actions

Changing the Social Contract@CarlosChalicoT

#ISACA_DDay

28

Where are we going?

Identity

Reputation

Privacy

Ownership@CarlosChalicoT

#ISACA_DDaySource: Ethics of Big Data, Kord Davis

29

Where are we going?

Take care of the

LIFESTREAM

YoursYour

Organization’s@CarlosChalicoT

#ISACA_DDaySource: Ethics of Big Data, Kord Davis

Where are we going?

30

Inquiry

Analysis

Articulation

Action


Ethics of Big Data

Source: Ethics of Big Data, Kord Davis

Bibliography

31@CarlosChalicoT

#ISACA_DDay


What happensWhere we are going

Conclusions

• You need to know your data.

• Data needs to be protected according to the process they serve or support and also considering their sensitivity.

• COBIT 5 is a good framework to define controls related to data classification and protection.

• Data faces risks all over their lifecycle.

• Countermeasures defined shall be alligned to corporate and IT governance.

33@CarlosChalicoT

#ISACA_DDay

Conclusions

• New technologies and processes always, always (yes, always) bring new risks into the landscape.

• Big Data considerations are changing the social contract.

• You need to use your values and do what is right and should be considered right by others when managing data.

• You should take care of your lifestream and your company’s.

34@CarlosChalicoT

#ISACA_DDay

Final Thoughts

35

http://www.slideshare.net/sap/99-facts-on-the-future-of-business@CarlosChalicoT

#ISACA_DDay

http://www.slideshare.net/sap/99-facts-on-the-future-of-business

Final Thoughts

36@CarlosChalicoT

#ISACA_DDay

Final Thoughts

37@CarlosChalicoT

#ISACA_DDay

Final Thoughts

38@CarlosChalicoT

#ISACA_DDay

Final Thoughts

39@CarlosChalicoT

#ISACA_DDay

Final Thoughts

40@CarlosChalicoT

#ISACA_DDay

Final Thoughts

41

SAP & Vuzix Augmented Reality


Final Thoughts

42@CarlosChalicoT

#ISACA_DDay

Final Thoughts

43@CarlosChalicoT

#ISACA_DDay

Final Thoughts

44@CarlosChalicoT

#ISACA_DDay

Questions and Answers

45

Carlos Chalico

CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador

Ouest Business Solutions Inc.

[email protected]

(647)6388062

twitter: @CarlosChalicoT

LinkedIn: ca.linkedin.com/in/carloschalico/@CarlosChalicoT

#ISACA_DDay

mailto:[email protected]

http://ca.linkedin.com/in/carloschalico/


Thank You!

Data & Analytics

Data Lifecycle Risks Considerations and Controls